Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Featured Spotlight

For the security industry, the tide is shifting. Executives and boards are recognizing future ROI benefits in beefing up security when alerted to the potential of a three to five percent sales decline following a data breach.

When it comes to credit card fraud, the hospitality industry has offered an attractive target for cyber criminals. Now, one trade group is helping these properties overcome security and compliance hurdles with a new framework.

The EMV standard, widely considered an effective way to curb counterfeit card fraud because it requires a microchip to be embedded in a credit or debit card or on a mobile device, is gradually picking up steam in the U.S.

Visa has issued best practices that detail how retailers, card issuers and processors can upgrade their credit card transaction technology to a chip-based model, so to avoid burdensome complexity, cost and time to market.

Tokenization solutions can simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of scope, according to a new guidance document from the PCI Council.

The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Tuesday issued two new guidance documents assessing the impact of emerging data security technologies on payment card security. One paper focuses on point-to-point encryption (P2PE), also commonly known as end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing. Properly implemented, P2PE will allow merchants to reduce their scope in complying with the PCI DSS, according to the document. A separate guidance document is focused on EMV, a global standard for authenticating credit and debit card payments. EMV and PCI DSS should complement each other and not be seen as competing standards, according to the PCI Council. — AM

Nations abroad may be forging ahead of the United States in terms of offering consumers enhanced cardholder protection, but the decision to move toward technology such as chip-and-PIN is not always cut and dry.

The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.

Visa on Tuesday announced best practices for companies to use when implementing, installing and managing programs that process payment applications. The guidance will complement the existing Payment Application Data Security Standard (PA-DSS), which prescribes 14 requirements for software developers that build programs that process credit card payments. The Visa payment application best practices, developed in conjunction with the SANS Institute, include 10 guidelines and can be downloaded here. They are meant for vendors, integrators and resellers. — DK

Wal-Mart is reportedly about to institute smartcard-based payment at all its U.S.-based stores. A company spokesman revealed this week, according to reports, that payment terminals capable of recognizing chip-and-PIN technology could soon replace signature-based credit card transactions. The move by the world's largest retailer could force other merchants, card issuers and processors to migrate to chip-and-PIN technology, said experts. The system, which uses an embedded chip to verify the card is legitimate, is thought to be significantly safer than traditional magnetic stripe cards, but the cost of adopting the system, widely used in Europe and other countries, has delayed implementation. - GM

The group responsible for managing payment security rules has released version 3.0 of the PIN Transaction Security (PTS) standard. The new version replaces the PIN Entry Device (PED) standard in an effort to streamline point-of-sale security guidelines to also cover unattended payment terminals, such as fuel dispensers, and hardware security modules, which are nonuser facing devices used in PIN translations. The update "simplifies the testing process and eliminates overlap of documentation," according to the PCI Security Standards Council. The council also plans to release updates to its Payment Application Data Security Standard and flagship PCI Data Security Standard later this year. — DK

The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Friday announced a new training program designed to educate internal security personnel on conducting assessments. The three-day course, to be led by PCI Council experts, either will enable security departments to better work with with third-party assessors or allow them to conduct their own assessments, Bob Russo, the council's general manager, told SCMagazineUS.com. Merchants that process more that six million annual transactions are required to conduct annual on-site PCI DSS assessments. Classes will be held in multiple locations. For more information, including pricing, visit here. — DK

A new Washington state law set to go into effect July 1 will allow banks to recoup certain data breach losses from negligent businesses. Under the new law, passed by the state Legislature in late March, financial institutions can seek reimbursement from large retailers and credit card processors that have suffered a data breach — if they failed to comply with the Payment Card Industry Data Security Standard (PCI DSS). The new law is similar to a Minnesota statute passed in 2007. — AM

Forty-one percent of merchants are relying on compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements, according to a survey released Monday by the Ponemon Institute and commissioned by encryption firm Thales. The survey, which polled 155 qualified security security assessors, who are charged with confirming a company's adherence to PCI. Compensating controls "may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints," according to the PCI Security Standards Council. — DK

There is overwhelming evidence in reports such as the SANS Top Cyber Security Risks and the Verizon Data Breach Investigation Report that web applications are the Achilles' heel of most networks and criminals know it. In order to protect web applications, the network security paradigm has to shift from "Keep People Out" to "What Are They Doing?" and the IT infrastructure spending needs to follow suit.

Bruce Rutherford of MasterCard was named chairperson today of The PCI Security Standards Council, an organization that drives education and awareness of the PCI Data Security Standard and other best practices to increase payment data security. In the position, Rutherford, who is group head, fraud management solutions, payment system integrity at MasterCard, is charged with increasing adoption of the PCI standards and to refine the next version. - GM

RECENT COMMENTS

FOLLOW US

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.